EAP-Transport Layer Security or EAP-TLS, defined in RFC 2716, is an IETF open standard,
and is well-supported among wireless vendors. It offers a good deal of security,
since TLS is considered the successor of the SSL standard. It uses PKI to secure
communication to the RADIUS authentication server or another type of Authentication
Server, and this fact may make it seem like a daunting task to set up. So even
though EAP-TLS provides excellent security, the overhead of client-side
certificates may be its Achilles' heel.

EAP-TLS is the original standard wireless LAN EAP authentication protocol.
Although it is rarely deployed, it is still considered one of the most secure
EAP standards available and is universally supported by all manufacturers of
wireless LAN hardware and software including Microsoft. The requirement for a
client-side certificate, however unpopular it may be, is what gives EAP-TLS its
authentication strength and illustrates the classic convenience vs. security
trade-off. A compromised password is not enough to break into EAP-TLS enabled
systems because the hacker still needs to have the client-side certificate.
When the client-side certificates are housed in smartcards, this offers the most
security available because there is no way to steal a certificate's private key
from a smartcard without stealing the smartcard itself. It is significantly more
likely that physical theft of a smartcard would be immediately noticed and the
smartcard revoked and a new card issued than that password theft would be noticed
and the password changed or account disabled.